Windows Sysinternals Administrator's Reference: Security Utilities

  • 6/15/2011


An aspect of Windows network security that is often overlooked is file shares. Lax security settings are an ongoing source of security issues because too many users are granted unnecessary access to files on other computers. If you didn’t specify permissions when creating a file share in Windows, the default used to be to grant Everyone Full Control. That was later changed to grant Everyone just Read access, but even that might expose sensitive information to more people than those who should be authorized.

Windows provides no utilities to list all the shares on a network and their security settings. ShareEnum fills that void, giving you the ability to enumerate all the file and printer shares in a domain, an IP address range, or your entire network to quickly view the share permissions in a table view, and to change the permissions on those shares.

Because only a domain administrator has the ability to view all network resources, ShareEnum is most effective when you run it from a domain administrator account.

ShareEnum is a GUI utility and doesn’t accept any command line parameters (other than /accepteula). From the drop-down list, select <All domains>, which scans your entire network, <IP address range>, which lets you select a range of addresses to scan, or the name of a domain. Click Refresh to scan the selected portion of your network. If you selected <IP address range>, you will be prompted to enter a range of IP addresses to scan.

ShareEnum displays share information in a list view, as shown in Figure 8-3.

Figure 8-3

Figure 8-3 ShareEnum.

Click on a column header to sort the list by that column’s data, or drag the column headers to reorder them. ShareEnum displays the following information about each share:

  • Share Path The computer and share name.

  • Local Path The location in the remote computer’s file system that the share exposes.

  • Domain The computer’s domain.

  • Type Whether the share is a file share (Disk), a printer share (Printer), or Unknown.

  • Everyone Permissions that the share grants to the Everyone group, categorized as Read, Write, Read/Write, or blank if no permissions are granted to the Everyone group.

  • Other Read Entities other than the Everyone group that are granted Read permission to the share.

  • Other Write Entities other than the Everyone group that are granted Change or Full Control permissions to the share.

  • Deny Any entities that are explicitly denied access to the share.

Click the Export button to save the list contents to a tab-delimited Unicode text file. Choose Compare To Saved from the File menu to display the differences in permissions between the current list and a previously exported file.

To change the permissions for a share, right-click it in the list and choose Properties. ShareEnum displays a permissions editor dialog box for the share. To open a file share in Windows Explorer, right-click the share in the list and choose Explore from the popup menu.